BIO 12.06.01 ISO A.8.1

Apparaten Zonder Compliance Policy Als Non-Compliant

πŸ“… 2025-10-30
β€’
⏱️ 5 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Configureer Intune om apparaten ZONDER compliance policy automatisch als non-compliant te markeren, waardoor onbeheerde devices geen toegang krijgen tot corporate resources.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Intune
βœ“ Device Management

Standaard Intune behavior: Apparaten zonder compliance policy is COMPLIANT (permissive). Dit is GEVAARLIJK: Newly enrolled devices zonder policies krijgen immediate access, Forgotten devices zonder policy assignments blijven toegang houden, Configuration errors (policy niet assigned) blijven onopgemerkt, nul Trust principe violation (Verifieer voordat trust). Setting 'Mark devices met no compliance policy as NON-COMPLIANT' enforceert: Explicit policy requirement - ALLE devices MOETEN compliance policy hebben, Fail-safe - Misconfiguration resulteert in blocked access (safe), nul Trust alignment - geen toegang Totdat proven compliant. Real-world scenario zonder deze setting: New device enrolls in Intune, Admin vergeet compliance policy toe te wijzen, Device heeft NO security baseline (geen versleuteling check, geen wachtwoordbeleid, geen jailbreak detectie), Device krijgt immediate access tot Exchange, SharePoint, Teams, Compliance gap blijft onopgemerkt totdat audit. Met deze setting: Same scenario maar device marked non-compliant, voorwaardelijke toegang Blokkeert access, Admin receives alert over non-compliant device, Compliance policy wordt toegewezen, Device compliant, access granted. Fail-safe instead of fail-open.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Intune tenant-wide setting: 'Mark devices met no compliance policy assigned as' is NON-COMPLIANT. Location: Intune β†’ Devices β†’ Compliance policies β†’ Compliance policy settings. Effect: enige device enrolled in Intune Zonder assigned compliance policy is automatisch non-compliant, Conditional Access beleidsregels die compliance vereisen blokkeren access, Forces administrators to assign policies to alle enrolled devices, voorkomt configuration gaps.

Vereisten

  1. Microsoft Intune subscription
  2. Compliance policies defined voor alle platformen (Windows, iOS, Android, macOS)
  3. Policy assignment plan: welke policies voor welke device groups?
  4. Conditional Access beleidsregels die device compliance vereiste gebruiken
  5. monitoring: Alert op non-compliant devices

Implementatie

Gebruik PowerShell-script devices-without-policy-noncompliant.ps1 (functie Invoke-Monitoring) – Verificatie dat tenant setting correct geconfigureerd is.

Handmatige configuratie via Intune:

  1. Microsoft Intune admin center β†’ Apparaten β†’ Compliance-beleid β†’ Instellingen compliance-beleid
  2. Setting: 'Apparaten zonder toegewezen compliance-beleid markeren als' is Niet-compatibel
  3. Klik Opslaan
  4. KRITIEK: Verifieer ALLE enrolled devices hebben compliance policy assigned VOORDAT deze setting ingeschakeld
  5. Anders: Legitimate devices worden geblokkeerd

Pre-implementation verificatie (BELANGRIJK):

  1. Inventory: Intune β†’ Devices β†’ alle devices β†’ Export list
  2. Check: Welke devices hebben GEEN compliance policy assigned?
  3. Action: Assign compliance policies aan alle devices FIRST
  4. Verify: nul devices zonder policy
  5. THEN: Schakel in 'Mark as non-compliant' setting
  6. monitor: Controleer geen legitimate devices blocked

monitoring

Gebruik PowerShell-script devices-without-policy-noncompliant.ps1 (functie Invoke-Monitoring) – CRITICAL Controleer - Verifieer setting ingeschakeld en geen devices zonder policy.

Dagelijkse monitoring:

  1. Intune β†’ Devices β†’ monitoren β†’ Noncompliant devices
  2. Filter: Devices zonder policy (zou moeten zijn ZERO)
  3. Alert: enige device zonder policy is immediate assignment vereist
  4. Weekly: Verifieer alle enrolled devices hebben assigned policies
  5. New enrollments: Automated policy assignment via dynamic groups

Remediatie

Gebruik PowerShell-script devices-without-policy-noncompliant.ps1 (functie Invoke-Remediation) – Herstellen.

Als devices zonder policy gevonden:

  1. Identify: Welke devices hebben geen policy? (Intune β†’ Devices β†’ filter)
  2. Determine: Welk platform? (Windows/iOS/Android/macOS)
  3. Assign: Appropriate compliance policy voor platform
  4. Verify: Device compliance evaluation triggered (sync device)
  5. Check: Device nu compliant? (policy requirements met)
  6. Document: Waarom was policy niet assigned? (proces gap?)

Compliance en Auditing

Deze control draagt bij aan compliance met:

  1. CIS Microsoft 365 Benchmark - Device management controls
  2. Zero Trust Architecture - Verifieer voordat trust (no implicit trust)
  3. BIO 12.06 - Apparaatbeveiliging (alle apparaten moeten beveiligingseisen voldoen)
  4. ISO 27001:2022 A.8.1 - User endpoint devices (security requirements)
  5. ISO 27001:2022 A.8.9 - configuratiebeheer (all devices managed)
  6. NIS2 Artikel 21 - Security measures (managed endpoint requirement)

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Devices Without Policy Non-Compliant .DESCRIPTION Intune's 'Mark devices with no compliance policy assigned as' must be set to 'Non-compliant'. .NOTES Filename: devices-without-policy-noncompliant.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 2.0 Related JSON: content/m365/device-compliance/devices-without-policy-noncompliant.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()]param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Devices Without Policy Non-Compliant" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Monitoring:" -ForegroundColor Yellow Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All" -ErrorAction Stop $settings = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/settings" -ErrorAction Stop $devicesWithoutPolicySetting = $settings.deviceComplianceCheckinThresholdDays $isCompliant = ($settings.isDeviceComplianceReportEnabled -eq $true) $result = @{ isCompliant = $isCompliant deviceComplianceReportEnabled = $settings.isDeviceComplianceReportEnabled setting = if ($isCompliant) { "Non-Compliant" }else { "Compliant or Unknown" } } Write-Host " Device Compliance Policy Requirement:" -ForegroundColor Cyan Write-Host " Mark devices without policy as: $($result.setting)" -ForegroundColor $(if ($isCompliant) { 'Green' }else { 'Red' }) if ($result.isCompliant) { Write-Host "`nCOMPLIANT: Devices without policy marked as non-compliant" -ForegroundColor Green exit 0 } else { Write-Host "`nNON-COMPLIANT: Setting not configured correctly" -ForegroundColor Red exit 1 } } catch { Write-Host "`nERROR: $_" -ForegroundColor Red Write-Host " Configure in: Intune > Devices > Compliance policies > Compliance policy settings" -ForegroundColor Yellow exit 2 } } function Invoke-Remediation { try { Write-Host "Remediation:" -ForegroundColor Yellow Write-Host " Manual configuration required:" -ForegroundColor Yellow Write-Host " 1. Go to Endpoint Manager admin center" -ForegroundColor Gray Write-Host " 2. Navigate to Devices > Compliance policies > Compliance policy settings" -ForegroundColor Gray Write-Host " 3. Set 'Mark devices with no compliance policy assigned as' to 'Non-compliant'" -ForegroundColor Gray Write-Host " 4. Click Save" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Write-Host "Revert:" -ForegroundColor Yellow Write-Host " Manual configuration required" -ForegroundColor Yellow Write-Host " Set 'Mark devices with no compliance policy assigned as' to 'Compliant'" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: HOOG security risk. Zonder deze setting: apparaten zonder compliance policies krijgen access tot corporate data is nul security verification, configuration errors blijven onopgemerkt totdat audit/incident, nul Trust principe violated (implicit trust in plaats van explicit verification). Voor organizational met voorwaardelijke toegang die device compliance gebruikt: Deze setting is essentieel fail-safe. Zonder: CA bypass mogelijk via devices zonder policies.

Management Samenvatting

KRITIEK: Configureer 'Apparaten zonder policy is Non-compliant'. nul Trust fail-safe - GEEN access zonder verified compliance. Voorkomt configuration gaps en onbeheerde device access. Voldoet aan BIO 12.06, ISO 27001 A.8.1, nul Trust principles. Implementatie: 1-3 uur (Verifieer alle devices hebben policy FIRST, dan Schakel in setting).